[BreachExchange] Georgia Patches Voter Website, But Hacking Accusation Stands

Destry Winant destry at riskbasedsecurity.com
Wed Nov 7 05:12:05 EST 2018


https://www.databreachtoday.com/georgia-patches-voter-website-but-hacking-accusation-stands-a-11679

Georgia has quietly fixed two elementary web vulnerabilities in its
voter registration website that could have exposed personal
information, ProPublica reports.

How the Georgia secretary of state's office learned of the
vulnerabilities and reacted suggests it may have erred when making a
sensational accusation against the Democratic party of Georgia just
two days before the U.S. midterm elections (see: Georgia Election
Further Complicated by Hacking Accusation).

On Sunday, before the website was fixed, the office of the secretary
of state for Georgia announced that it had launched an investigation
into Georgia's Democratic party for "possible cybercrimes" related to
the state's voter registration system. In another release, the state
referred to the situation as a failed cyberattack.

The accusation came from the office of Secretary of State Brian Kemp,
who is also the Republican candidate for governor. Kemp is in a tight
race with Democrat Stacey Abrams in one of the closest watched
gubernatorial races in the country.

Democrats called the accusation a "political stunt," and the charge
was met with widespread skepticism.

Personal Data Exposed

ProPublica reported on Monday that the Georgia state website, My Voter
Page, was modified on Sunday to fix two vulnerabilities found by a man
named Richard Wright.

On Sunday, Georgia Democrats said they'd been notified of possible
vulnerabilities on the website by Wright. A volunteer with the party's
Voter Protection Hotline, Rachel Small, received an email from Wright,
it says.

Small then forwarded the email to Sara Ghazal, the voter protection
director for Georgia Democrats, who then sent it on to law enforcement
and the state. Georgia Democrats published the email that Small
allegedly received from Wright.

In the email, Wright describes two findings. The My Vote Page has a
section for downloading sample ballots and poll cards. But Wright
writes that "the URL allows you to download any file on the system."

The second issue was with the voter registration service. Wright
writes that someone can download a voter registration form to fill out
by hand and mail.

But the URLs for that page can also be manipulated and incremented,
which then causes other voters' personal data to be exposed, including
driver's license numbers and the last four digits of Social Security
numbers and addresses.

ProPublica attempted to replicate Wright's discoveries, but found by
Sunday the issues had been fixed.

Voter Website Quietly Patched

ProPublica's story suggests that Georgia had incomplete information
before it made an accusation against Democrats. It writes that Georgia
"did not know that Small had received her information from Wright -
and assumed Small had written the code herself - until ProPublica told
them of the connection on Sunday evening."

So far, the state hasn't issued an update on its investigation into
Georgia Democrats. Statements by a Kemp spokeswoman to both ProPublica
and Ars Technica indicate the state still believes the site was
subjected to an attempted cyberattack.

ProPublica writes that Kemp spokeswoman Candice Broce told the
publication that in order to open an investigation, someone doesn't
have to actually find a vulnerability for the situation to be
potentially criminal. Ars also quotes Broce as saying there were no
vulnerabilities on the website.

"All you need, to open an investigation, is information suggesting
plans and an attempt to put together some kind of program or utilize
specialize tools to find a vulnerability. We did have evidence," Broce
told ProPublica.

The legal boundary between what constitutes legitimate security
research and criminal intrusion is fuzzy. Often, to determine there
even is a vulnerability, those actions would technically break the
law, such as incrementing a number in a URL.

But legal experts say it's unlikely that prosecutors would bring a
case against someone - in this case Wright - for discovering a
vulnerability and seeking to responsibly report it.


More information about the BreachExchange mailing list